Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-5134 - Easy Registration Forms Plugin
The Easy Registration Forms for WordPress is vulnerable to Information Disclosure via the 'erforms_user_meta' shortcode in versions up to, and including, 2.1.1 due to insufficient controls on the information retrievable via the shortcode. This makes it possible for authenticated attackers, with subscriber-level capabilities or above, to retrieve arbitrary sensitive user meta.
PLUGIN
Easy Registration Forms
CVE-2023-5134
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5125 - Contact Form By Formget Plugin
The Contact Form by FormGet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formget' shortcode in versions up to, and including, 5.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contact Form By Formget
CVE-2023-5125
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4774 - Connect Matomo Plugin
The WP-Matomo Integration (WP-Piwik) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp-piwik' shortcode in versions up to, and including, 1.0.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Connect Matomo
CVE-2023-4774
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4716 - Media Library Assistant Plugin
The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mla_gallery' shortcode in versions up to, and including, 3.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Media Library Assistant
CVE-2023-4716
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5063 - Widget Responsive For Youtube Plugin
The Widget Responsive for Youtube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'youtube' shortcode in versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Widget Responsive For Youtube
CVE-2023-5063
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5062 - Wordpress Charts Plugin
The WordPress Charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wp_charts' shortcode in versions up to, and including, 0.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wordpress Charts
CVE-2023-5062
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4376 - Serial Codes Generator And Validator With Woocommerce Support Plugin
The Serial Codes Generator and Validator with WooCommerce Support WordPress plugin before 2.4.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Serial Codes Generator And Validator With Woocommerce Support
CVE-2023-4376
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-2995 - Before 3 Plugin
The Leyka WordPress plugin before 3.30.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2023-2995
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5054 - Super Store Finder Plugin
The Super Store Finder plugin for WordPress is vulnerable to unauthenticated arbitrary email creation and relay in versions up to, and including, 6.9.3. This is due to insufficient restrictions on the sendMail.php file that allows direct access. This makes it possible for unauthenticated attackers to send emails utilizing the vulnerable site's server, with arbitrary content. Please note that this vulnerability has already been publicly disclosed with an exploit which is why we are publishing the details without a patch available, we are attempting to initiate contact with the developer.
PLUGIN
Super Store Finder
CVE-2023-5054
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5001 - Horizontal Scrolling Announcement Plugin
The Horizontal scrolling announcement for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'horizontal-scrolling' shortcode in versions up to, and including, 9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Horizontal Scrolling Announcement
CVE-2023-5001
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4963 - Ws Facebook Like Box Widget Plugin
The WS Facebook Like Box Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ws-facebook-likebox' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ws Facebook Like Box Widget
CVE-2023-4963
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4948 - Woocommerce Cvr Payment Gateway Plugin
The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_cvr_data AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above, to update CVR numbers for orders.
PLUGIN
Woocommerce Cvr Payment Gateway
CVE-2023-4948
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4945 - Booster For Woocommerce Plugin
The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in versions up to, and including, 7.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Booster For Woocommerce
CVE-2023-4945
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4944 - Awesome Weather Widget Plugin
The Awesome Weather Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'awesome-weather' shortcode in versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Awesome Weather Widget
CVE-2023-4944
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4841 - Feeds For Youtube Plugin
The Feeds for YouTube for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'youtube-feed' shortcode in versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Feeds For Youtube
CVE-2023-4841
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4917 - Leyka Plugin
The Leyka plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.30.3 via the 'leyka_ajax_get_env_and_options' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including Sberbank API key and password, PayPal Client Secret, and more keys and passwords.
PLUGIN
Leyka
CVE-2023-4917
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4915 - Wp User Control Plugin
The WP User Control plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.5.3. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (in the WP User Control Widget). The function changes the user's password after providing the email. The new password is only sent to the user's email, so the attacker does not have access to the new password.
PLUGIN
Wp User Control
CVE-2023-4915
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4893 - Crayon Syntax Highlighter Plugin
The Crayon Syntax Highlighter plugin for WordPress is vulnerable to Server Side Request Forgery via the 'crayon' shortcode in versions up to, and including, 2.8.4. This can allow authenticated attackers with contributor-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Crayon Syntax Highlighter
CVE-2023-4893
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4890 - Jquery Accordion Menu Widget Plugin
The JQuery Accordion Menu Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dcwp-jquery-accordion' shortcode in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jquery Accordion Menu Widget
CVE-2023-4890
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4887 - Google Maps Plugin By Intergeo
The Google Maps Plugin by Intergeo for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'intergeo' shortcode in versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Google Maps Plugin By Intergeo
CVE-2023-4887
Risk Score